Commit 1cd96c24 authored by Boaz Harrosh's avatar Boaz Harrosh Committed by Jens Axboe

block: WARN in __blk_put_request() for potential bio leak

Put a WARN_ON in __blk_put_request if it is about to
leak bio(s). This is a serious bug that can happen in error
handling code paths.

For this to work I have fixed a couple of places in block/ where
request->bio != NULL ownership was not honored. And a small cleanup
at sg_io() while at it.
Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
parent f028f3b2
...@@ -1062,6 +1062,9 @@ void __blk_put_request(struct request_queue *q, struct request *req) ...@@ -1062,6 +1062,9 @@ void __blk_put_request(struct request_queue *q, struct request *req)
elv_completed_request(q, req); elv_completed_request(q, req);
/* this is a bio leak */
WARN_ON(req->bio != NULL);
/* /*
* Request may not have originated from ll_rw_blk. if not, * Request may not have originated from ll_rw_blk. if not,
* it didn't come out of our reserved rq pools * it didn't come out of our reserved rq pools
......
...@@ -403,6 +403,8 @@ static int attempt_merge(struct request_queue *q, struct request *req, ...@@ -403,6 +403,8 @@ static int attempt_merge(struct request_queue *q, struct request *req,
if (blk_rq_cpu_valid(next)) if (blk_rq_cpu_valid(next))
req->cpu = next->cpu; req->cpu = next->cpu;
/* owner-ship of bio passed from next to req */
next->bio = NULL;
__blk_put_request(q, next); __blk_put_request(q, next);
return 1; return 1;
} }
......
...@@ -214,21 +214,10 @@ static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq, ...@@ -214,21 +214,10 @@ static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
return 0; return 0;
} }
/*
* unmap a request that was previously mapped to this sg_io_hdr. handles
* both sg and non-sg sg_io_hdr.
*/
static int blk_unmap_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr)
{
blk_rq_unmap_user(rq->bio);
blk_put_request(rq);
return 0;
}
static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr, static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
struct bio *bio) struct bio *bio)
{ {
int r, ret = 0; int ret = 0;
/* /*
* fill in all the output members * fill in all the output members
...@@ -253,12 +242,10 @@ static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr, ...@@ -253,12 +242,10 @@ static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
ret = -EFAULT; ret = -EFAULT;
} }
rq->bio = bio; blk_rq_unmap_user(bio);
r = blk_unmap_sghdr_rq(rq, hdr); blk_put_request(rq);
if (ret)
r = ret;
return r; return ret;
} }
static int sg_io(struct request_queue *q, struct gendisk *bd_disk, static int sg_io(struct request_queue *q, struct gendisk *bd_disk,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment